What is the Anubis Android Banking Botnet?
Anubis operates as a modular banking trojan with botnet capabilities, allowing attackers to remotely control infected devices in coordinated campaigns. Unlike simpler malware, Anubis employs multiple evasion techniques including:- Dynamic payload loading (downloads malicious components after installation)
- Advanced obfuscation (polymorphic code, anti-emulation checks)
- Banking app-specific targeting (custom overlays for 300+ financial apps)
Primary Infection Vectors:
- Fake apps masquerading as utility tools or popular services
- Compromised websites with drive-by downloads
- SMS phishing campaigns with malicious links
- Trojanized versions of legitimate apps on third-party stores
Detailed Technical Features
1. Sophisticated Overlay Attacks
- Real-time screen monitoring detects when banking apps are opened
- Custom phishing overlays mimic legitimate login screens for:
- Traditional banks (Chase, Wells Fargo, Barclays)
- Payment apps (PayPal, Venmo, Zelle)
- Cryptocurrency exchanges (Binance, Coinbase)
- Advanced input capture records credentials, PINs, and 2FA codes
2. Remote Access Trojan (RAT) Capabilities
- VNC server implementation for full device control
- Screen streaming allows attackers to view user activity in real-time
- Command execution via C2 server instructions
- File system access for document theft and further infection
3. Data Exfiltration Modules
- SMS interception for capturing OTP verification codes
- Contact list harvesting for spreading malware to new victims
- Keylogging for comprehensive input monitoring
- Clipboard monitoring to steal cryptocurrency addresses